3. Publishing Applications to Users
7. SGD Servers, Arrays, and Load Balancing
Replicating Data Across the Array
Communication Between Array Members
Secure Intra-Array Communication
Managing Arrays and SGD Servers
Examples of How Array Resilience Works
How to Enable Secure Intra-Array Communication
How to Add a Server to an Array (Secure Intra-Array Communication Enabled)
How to Add a Server to an Array (Secure Intra-Array Communication Disabled)
How to Change the Primary Server in an Array
How to Remove a Server From an Array
How to Change the Cipher Suite for Secure Intra-Array Communication
How to Enable Array Failover for an Array
How to Configure the Array Failover Grace Period
How to Show the Backup Primaries List for an Array
How to Add an Entry to the Backup Primaries List
How to Change the Position of an Entry in the Backup Primaries List
How to Delete an Entry From the Backup Primaries List
How to Configure the Find New Primary Timeout
How to Configure the Action When Failover Ends
How to Rebuild an Array Manually
Using The Load-Balancing JSP Technology Page to Distribute User Sessions
How to Configure the Load-Balancing JSP Technology Page to Distribute User Sessions
Using an External Mechanism to Distribute User Sessions
How to Configure the Load-Balancing JSP Technology Page for an External Load Balancing Mechanism
How to Configure the Load-Balancing JSP Technology Page for Use With My Desktop
Additional Load-Balancing JSP Technology Page Configuration
Application Session Load Balancing
Defining the Application Servers to Run the Application
Selecting the Load Balancing Method
How Application Load Balancing Works
Dynamic Application Servers and Load Balancing
Application Server Availability
The Relative Power of the Application Servers
Example Relative Power Calculation 1
Example Relative Power Calculation 2
The Application Server With the Least Load
Example Load Calculation Using Fewest Application Sessions
Example Load Calculation Using Least CPU Usage
Example Load Calculation Using Most Free Memory
How Advanced Load Management Works
Tuning Application Load Balancing
Application Server's Relative Power
Load Balancing Listening Ports
SGD Requests Updates From an Application Server
Frequency of the Load Calculation
Frequency of Updates to the Primary SGD Server
Reliability of CPU and Memory Data
Frequency of Updates to Array Members
Editing Application Load Balancing Properties
The Global Load Balancing Properties File
The Application Server Load Balancing Properties File
How to Create an Application Server Load Balancing Properties File
The Load Balancing Service Properties File
SGD Web Server and Administration Console
Introducing the SGD Web Server
Using the Administration Console
Supported Browsers for the Administration Console
Starting the Administration Console
Deploying the Administration Console on Other Web Application Containers
Avoiding SGD Datastore Update Problems
Performing Array Operations Using the Administration Console
Administration Console Configuration Settings
Searching and Displaying LDAP Data
Securing Access to the Administration Console
User Sessions and Application Sessions
Anonymous Users and Shared Users
Using Log Filters to Troubleshoot Problems With an SGD Server
Selecting a Component and Subcomponent
Using Log Filters for Auditing
Examples of Using Log Filters for Auditing
Using Log Filters to Troubleshoot Problems With Protocol Engines
Examples of Using PE Log Filters
Tomcat JSP Technology Container Logs
How to Import CA Certificates or Certificate Chains into the CA Certificate Truststore
Backing Up and Restoring an SGD Installation
How to Make a Full Backup of an SGD Installation
Restoring a Damaged SGD Component
Binaries, Scripts, and Template Files
SGD Web Server, Web Services, and the Webtop
How to Do a Full Restore of an SGD Installation
Troubleshooting Arrays and Load Balancing
Troubleshooting Array Resilience
Showing Status Information For an SGD Array
Enabling Array Resilience Logging
Troubleshooting Clock Synchronization Issues
Troubleshooting Advanced Load Management
The Load Balancing Service Is Not Working
SGD Ignores an Application Server Load Balancing Properties File
One of the Application Servers Is Never Picked
One of the Application Servers Is Always Picked
Two Identical Application Servers, But One Runs More Applications Than the Other
The SGD Server Log File Shows an Update Received for an Unknown ID
SGD Uses Too Much Network Bandwidth
Users Cannot Connect to an SGD Server When It Is In Firewall Traversal Mode
Users Cannot Relocate Their Sessions
B. Secure Global Desktop Server Settings
Each SGD server has two certificate stores, a CA certificate truststore and a client certificate store.
Each SGD server has its own CA certificate truststore. This is the /opt/tarantella/bin/jre/lib/security/cacerts file.
The CA certificate truststore contains the CA certificates that the SGD server trusts.
The /opt/tarantella/etc/data/cacerts.txt file contains the X.500 Distinguished Names (DNs) and MD5 signatures of all the CA certificates that are in the CA certificates truststore when SGD is first installed. These are the CAs that SGD supports by default. To add support for additional CAs, you can import CA certificates to the truststore.
You might need to import CA certificates in the following circumstances:
Active Directory authentication – If SSL connections to Active Directory are used, and the SSL certificate for an Active Directory server is signed by an unsupported CA, or by an Intermediate CA
LDAP authentication – If SSL connections to LDAP directories are used, and the SSL certificate for an LDAP directory server is signed by an unsupported CA, or by an Intermediate CA
The certificates that must be imported are as follows:
Unsupported CA – Import the CA or root certificate
Intermediate CA – Import the CA certificate chain
If the tarantella security customca command is used to install a CA certificate, or CA certificate chain, this command also imports the CA certificates into the CA certificate truststore. It only does this on the SGD server on which the command is run.
To manually import CA certificates, use the keytool application. See the JDK Tools and Utilities documentation for details on how to use the keytool application. The /opt/tarantella/var/tsp/ca.pem file on the SGD host contains the CA certificate or certificate chain.
If you need to import a CA certificate chain, import each certificate in the chain separately.
The password for the CA certificate truststore is changeit.
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
Repeat the following procedure on each SGD server in the array.
To import a CA certificate chain, you must import each certificate in the chain separately.
Use the following command:
# /opt/tarantella/bin/jre/bin/keytool -importcert \ -keystore /opt/tarantella/bin/jre/lib/security/cacerts \ -storepass changeit -file CA-certificate-path \ -alias alias
Use the -alias option to uniquely identify the certificate.
You must restart the SGD server for the CA certificate to become effective.
Each SGD server has its own client certificate store. This is the /opt/tarantella/var/info/certs/sslkeystore file.
The client certificate store contains the client certificates that an SGD server uses to identify itself when connecting to another server.
You create and install server client certificates with the keytool application. See the JDK Tools and Utilities documentation for details on how to use the keytool application.
You must provide a password when adding or removing certificates from the client certificate store. The password for the client certificate store is unique to each SGD server and can be found in the /opt/tarantella/var/info/key file. Use this password for both the -storepass and -keypass options.
# /opt/tarantella/bin/jre/bin/keytool -genkeypair \ -keyalg rsa \ -keystore /opt/tarantella/var/info/certs/sslkeystore \ -storepass "$(cat /opt/tarantella/var/info/key)" \ -alias alias \ -keypass "$(cat /opt/tarantella/var/info/key)"
Use the -alias option to uniquely identify the key pair.
# /opt/tarantella/bin/jre/bin/keytool -certreq \ -keystore /opt/tarantella/var/info/certs/sslkeystore \ -storepass "$(cat /opt/tarantella/var/info/key)" \ -alias alias \ -keypass "$(cat /opt/tarantella/var/info/key)" \ -file CSR-path
The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.
Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.
Repeat the following procedure on each SGD server in the array.
# /opt/tarantella/bin/jre/bin/keytool -importcert \ -file certificate-path -keystore /opt/tarantella/var/info/certs/sslkeystore \ -storepass "$(cat /opt/tarantella/var/info/key)" \ -alias alias \ -keypass "$(cat /opt/tarantella/var/info/key)"
The alias must be the same as the alias used when generating the CSR for the client certificate. Aliases are case-insensitive.
You must restart the SGD server for the client certificate to become effective.